Login Sign Up

CVE-2019-19589

9.8 CRITICAL

📋 TL;DR

The Lever PDF Embedder plugin 4.4 for WordPress fails to block polyglot PDF/JAR files, potentially allowing attackers to distribute malware disguised as PDFs. This affects WordPress sites using the vulnerable plugin version. Note that the vulnerability's validity is disputed since the plugin doesn't control file uploads.

💻 Affected Systems

Products:
  • Lever PDF Embedder WordPress Plugin
Versions: 4.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the vulnerable plugin version. The vulnerability's validity is disputed by some security researchers.

📦 What is this software?

Pdf Embedder by Wp Pdf

View all CVEs affecting Pdf Embedder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious JAR files disguised as PDFs, leading to remote code execution or malware distribution when users download and execute the files.

🟠

Likely Case

Limited impact since the plugin only serves files and doesn't control uploads; attackers would need to bypass WordPress core upload restrictions first.

🟢

If Mitigated

Minimal impact if WordPress core file upload restrictions are properly configured and users don't manually rename downloaded files.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires: 1) Uploading polyglot file through WordPress (may require authentication), 2) Users downloading and manually renaming file to .jar extension, 3) User executing the JAR file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5 and later

Vendor Advisory: https://wordpress.org/plugins/pdf-embedder/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PDF Embedder' and click 'Update Now'. 4. Verify version is 4.5 or higher.

🔧 Temporary Workarounds

Disable PDF Embedder Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate pdf-embedder

Restrict File Uploads

all

Configure WordPress to block .jar files and polyglot files at upload

Add to wp-config.php: define('ALLOW_UNFILTERED_UPLOADS', false);

🧯 If You Can't Patch

  • Implement strict file upload validation at WordPress level to block polyglot files
  • Educate users not to rename downloaded files and to verify file extensions before execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → PDF Embedder version. If version is exactly 4.4, system is vulnerable.

Check Version:

wp plugin get pdf-embedder --field=version

Verify Fix Applied:

Verify PDF Embedder plugin version is 4.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • WordPress upload logs showing PDF files with unusual headers
  • Access logs showing requests for .pdf files followed by .jar requests

Network Indicators:

  • Unusual file downloads with PDF MIME type but executable content
  • Traffic patterns showing PDF downloads followed by JAR execution attempts

SIEM Query:

source="wordpress.log" AND ("upload" AND ".pdf") AND ("polyglot" OR "jar" OR "executable")

📊 Metadata

CVE ID: CVE-2019-19589
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-436
Published: December 5, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19589, you might also want to check these:

CVE-2023-24813 10.0

CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass U...

Same vulnerability type (CWE-436)
CVE-2021-45327 9.8

CVE-2021-45327 is a server-side request forgery (SSRF) vulnerability in Gitea's admin and user API e...

Same vulnerability type (CWE-436)
CVE-2020-10180 9.8

This vulnerability allows attackers to bypass ESET antivirus detection by embedding malware in speci...

Same vulnerability type (CWE-436)